Abstract: To address security challenges in software defined networking (SDN) architecture, centered on the security audit aspect of the SDN architecture, the traditional network security audit solutions and the SDN architecture’s centralized control features were combined. A security audit system was designed and implemented based on the Floodlight controller and was operated in the SDN environment, in which the collection, analysis, storage of audit events and other functions were included. A backtracking algorithm against DDoS scenario was designed to detect the attackers and dummy hosts via reviewing and analyzing security audit events retrospectively. Besides, a sliding window segmentation algorithm was proposed which extracted user’s behavior patterns after implementing sequence analysis against security audit events. Based on the Levenshtein algorithm to the similarity of sequence patterns were calculated, then according to the similarity of the current user’s behaviors and historical behaviors, suspected attack behaviors were detected.